search

zmitchell / proctrace

A high-level profiler for process-level events such as fork, exec, exit, setpgid, and setsid
https://proctrace.xyz
Apache License 2.0
41 stars 0 forks source link

Duplicate `exec`s #1

Open zmitchell opened 2 months ago

zmitchell commented 2 months ago

Steps to reproduce:

$ proctrace record -o demo.log -- ./demo_script.sh
$ proctrace render -i demo.log -d by-process

You'll see a bunch of duplicate exec events at the beginning of the output. I suspect that the probe we're using is also firing for threads for some reason.

zmitchell commented 2 months ago

Ha, it turns out the events aren't erroneous duplicates, they're real! From the output of strace:

[pid 171963] execve("/home/zmitchell/src/proctrace/main/target/debug/bash", ["bash", "./demo_script.sh"], 0x7ffe96f9d298 /* 100 vars */) = -1 ENOENT (No such file or directory)
[pid 171963] execve("/home/zmitchell/src/proctrace/main/.flox/run/x86_64-linux.proctrace/bin/bash", ["bash", "./demo_script.sh"], 0x7ffe96f9d298 /* 100 vars */) = -1 ENOENT (No such file or directory)
[pid 171963] execve("/home/zmitchell/src/proctrace/main/.flox/run/x86_64-linux.proctrace/sbin/bash", ["bash", "./demo_script.sh"], 0x7ffe96f9d298 /* 100 vars */) = -1 ENOENT (No such file or directory)
[pid 171963] execve("/home/zmitchell/.local/bin/bash", ["bash", "./demo_script.sh"], 0x7ffe96f9d298 /* 100 vars */) = -1 ENOENT (No such file or directory)
[pid 171963] execve("/run/wrappers/bin/bash", ["bash", "./demo_script.sh"], 0x7ffe96f9d298 /* 100 vars */) = -1 ENOENT (No such file or directory)
[pid 171963] execve("/home/zmitchell/.nix-profile/bin/bash", ["bash", "./demo_script.sh"], 0x7ffe96f9d298 /* 100 vars */) = -1 ENOENT (No such file or directory)
[pid 171963] execve("/nix/profile/bin/bash", ["bash", "./demo_script.sh"], 0x7ffe96f9d298 /* 100 vars */) = -1 ENOENT (No such file or directory)
[pid 171963] execve("/home/zmitchell/.local/state/nix/profile/bin/bash", ["bash", "./demo_script.sh"], 0x7ffe96f9d298 /* 100 vars */) = -1 ENOENT (No such file or directory)
[pid 171963] execve("/etc/profiles/per-user/zmitchell/bin/bash", ["bash", "./demo_script.sh"], 0x7ffe96f9d298 /* 100 vars */) = -1 ENOENT (No such file or directory)
[pid 171963] execve("/nix/var/nix/profiles/default/bin/bash", ["bash", "./demo_script.sh"], 0x7ffe96f9d298 /* 100 vars */) = -1 ENOENT (No such file or directory)
[pid 171963] execve("/run/current-system/sw/bin/bash", ["bash", "./demo_script.sh"], 0x7ffe96f9d298 /* 100 vars */) = 0
zmitchell commented 2 months ago

So basically we need to record the filename of the program being execed, not just the arguments. We also need to filter out any execve calls that had a non-zero return code.

zmitchell commented 2 months ago

Both of these can be done very simply in the bpftrace script